The EARN IT Bill Is the Government’s Plan to Scan Every Message Online

The EARN IT Bill Is the Government’s Plan to Scan Every Message Online

Imagine an Internet where the law required every message sent to be read by government-approved scanning software. Companies that handle such messages wouldn’t be allowed to securely encrypt them, or they’d lose legal protections that allow them to operate.

That’s what the Senate Judiciary Committee has proposed and hopes to pass into law. The so-called EARN IT bill, sponsored by Senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT), will strip Section 230 protections away from any website that doesn’t follow a list of “best practices,” meaning those sites can be sued into bankruptcy. The “best practices” list will be created by a government commission, headed by Attorney General Barr, who has made it very clear he would like to ban encryption, and guarantee law enforcement “legal access” to any digital message.

The EARN IT bill had its first hearing today, and its supporters’ strategy is clear. Because they didn’t put the word “encryption” in the bill, they’re going to insist it doesn’t affect encryption.

“This bill says nothing about encryption,” co-sponsor Sen. Blumenthal said at today’s hearing. “Have you found a word in this bill about encryption?” he asked one witness.

It’s true that the bill’s authors avoided using that word. But they did propose legislation that enables an all-out assault on encryption. It would create a 19-person commission that’s completely controlled by the Attorney General and law enforcement agencies. And, at the hearing, a Vice-President at the National Center for Missing and Exploited Children (NCMEC) made it clear [PDF] what he wants the best practices to be. NCMEC believes online services should be made to screen their messages for material that NCMEC considers abusive; use screening technology approved by NCMEC and law enforcement; report what they find in the messages to NCMEC; and be held legally responsible for the content of messages sent by others.

The 19-person draft commission isn’t any better than the 15-person commission envisioned in an early draft of the bill. It’s completely dominated by law enforcement and allied groups like NCMEC. Not only will those groups have a majority of votes on the commission, but the bill gives Attorney General Barr the power to veto or approve the list of best practices. Even if other commission members do disagree with law enforcement, Barr’s veto power will put him in a position to strongarm them.

The Commission won’t be a body that seriously considers policy; it will be a vehicle for creating a law enforcement wish list. Barr has made clear, over and over again, that breaking encryption is at the top of that wish list. Once it’s broken, authoritarian regimes around the world will rejoice, as they have the ability to add their own types of mandatory scanning, not just for child sexual abuse material but for self-expression that those governments want to suppress.

The privacy and security of all users will suffer if U.S. law enforcement is able to achieve its dream of breaking encryption. Senators should reject the EARN IT bill.

This is a technical guide for administrators affected by the STARTTLS Everywhere project. Check out our overview post of the project! The STARTTLS policy list started off as a mechanism for mailservers to learn TLS information about other servers from EFF’s perspective. Since MTA-STS was launched, it has evolved...

This is an overview of the STARTTLS Everywhere project. If your mailserver is affected by these changes, check out our technical deep-dive to securing your mailserver! EFF started our STARTTLS Everywhere project in 2014, in a post-Snowden moment when the technology community banded together to push transport encryption...

If you follow security on the Internet, you may have seen articles warning you to “beware of public Wi-Fi networks" in cafes, airports, hotels, and other public places. But now, due to the widespread deployment of HTTPS encryption on most popular websites,advice to avoid public Wi-Fi is...

This February, with Venezuela rocked by economic collapse and a presidential succession crisis, an opposition party put out a call for volunteers. Juan Guaidó, a political leader with the Popular Will party, called on supporters to register at the site “Volunteers for Venezuela”. Guaidó announced that the call...

Top law enforcement officials in the United States, United Kingdom, and Australia told Facebook today that they want backdoor access to all encrypted messages sent on all its platforms. In an open letter, these governments called on Mark Zuckerberg to stop Facebook’s plan to introduce end-to-end encryption on...

In the digital world, strong encryption is how private conversations stay private. It’s also what keeps our devices secure. Encryption is under a new set of attacks by law enforcement, who continue to seek a magic bullet—a technological backdoor that could circumvent encryption, but somehow not endanger privacy and security...

Thanks to the success of projects like Let’s Encrypt and recent UX changes in the browsers, most page-loads are now encrypted with TLS. But DNS, the system that looks up a site’s IP address when you type the site’s name into your browser, remains unprotected by encryption. Because...

The good news: TLS 1.3 is available, and the protocol, which powers HTTPS and many other encrypted communications, is better and more secure than its predecessors (including SSL). The bad news: Thanks to a financial industry group called BITS, there’s a look-alike protocol brewing called ETS (or...